config load-balance persistence

Use this command to configure persistence rules.

Persistence rules identify traffic that should not be load-balanced, but instead forwarded to the same backend server that has seen requests from that source before. Typically, you configure persistence rules to support server transactions that depend on an established client-server session, like e-commerce transactions or SIP voice calls.

The system maintains persistence session tables to map client traffic to backend servers based on the session attribute specified by the persistence rule.

The persistence table is evaluated before load balancing rules. If the packets received by the ADC match an entry in the persistence session table, the packets are forwarded to the server that established the connection, and load balancing rules are not applicable.

Most persistence rule types have a timeout. When the time that has elapsed since the system last received a request from the client IP address is greater than the timeout, the system does not use the mapping table to forward the request. Instead, it again selects the server using the method specified in the virtual server configuration. Hash-based rule types have a timeout built into the hash algorithm. For other types, you can specify the timeout.

Table 9 describes the predefined persistence rules. You can get started with these commonly used persistence methods or create custom objects.

Predefined persistence rules

Predefined	Description
LB_PERSIS_SRC_ADDR	Persistence based on source IP address or subnet.
LB_PERSIS_HASH_SRC_ADDR	Persistence based on a hash of source IP address.
LB_PERSIS_HASH_SRC_ADDR_PORT	Persistence based on a hash that includes source IP address and port.
LB_PERSIS_HASH_COOKIE	Persistence is based on a hash of a cookie provided by client request.
LB_PERSIS_RDP_COOKIE	Persistence based on RDP cookie sent by RDP clients in the initial connection request.
LB_PERSIS_SSL_SESS_ID	Persistence based on the SSL session ID.
LB_PERSIS_SIP_CALL_ID	Persistence based on the SIP call ID.
LB_PERSIS_PASSIVE_COOKIE	Persistence based on a passive cookie generated by the server. FortiADC does not generate or manage the cookie, but only observes it in the HTTP stream, thus the name "passive cookie". Also known as "server cookie".

Before you begin:

• You must have a good understanding and knowledge of the applications that require persistent sessions and the methods that can be used to identify application sessions.
• You must have read-write permission for load balancing settings.

FortiADC supports the following persistence rule types.

• Source Address
• Source Address Hash
• Source Address-Port Hash
• HTTP Header Hash
• HTTP Request Hash
• Cookie Hash
• Persistent Cookie
• Passive Cookie
• Insert Cookie
• Rewrite Cookie
• Embedded Cookie
• RADIUS Attribute
• SSL Session ID
• SIP Call ID
• RDP Cookie
• ISO8583 Bitmap

Each persistence rule type requires specific parameters to be applied. Use the links above to navigate to the CLI commands for each persistence rule type.

After you have configured a persistence rule, you can select it in the virtual server configuration.

Source Address

Use this command to create a Source Address persistence rule. Persistence is based on the source IP address.

Syntax

config load-balance persistence

edit <name>

set type source-address

set timeout <integer>

set ipv4-maskbits <integer>

set ipv6-maskbits <integer>

set match-across-servers {enable|disable}

next

end

timeout	Specify the timeout (in seconds) for an inactive persistence session table entry. (Range: 1-86400, default: 300). When the time that has elapsed since the system last received a request from the client IP is greater than the timeout, the system would not use the mapping table to forward the request. Instead, it again selects the server using the method specified in the virtual server configuration.
ipv4-maskbits	Specify the number of bits in a IPv4 subnet mask to specify a network segment that should follow the persistence rule. (Range: 1-32, default: 32). For example, if IPv4 maskbits is set to 24, and the backend server A responds to a client with the source IP 192.168.1.100, server A also responds to all clients from subnet 192.168.1.0/24.
ipv6-maskbits	Specify the number of bits in a IPv6 subnet mask to specify a network segment that should follow the persistence rule. (Range: 1-128, default: 128).
match-across-servers	If enabled, clients will continue to access the same backend server through different virtual servers for the duration of a session.

Example

config load-balance persistence

edit "source-address"

set type source-address

set timeout 300

set ipv4-maskbits 32

set ipv6-maskbits 128

set match-across-servers enable

next

end

Source Address Hash

Use this command to create a Source Address Hash persistence rule. Persistence is based on a hash of the IP address of the client making an initial request.

Syntax

config load-balance persistence

edit <name>

set type consistent-hash-ip

next

end

Source Address-Port Hash

Use this command to create a Source Address-Port Hash persistence rule. Persistence is based on a hash of the IP address and port of an initial client request.

Syntax

config load-balance persistence

edit <name>

set type hash-source-address-port

next

end

HTTP Header Hash

Use this command to create a HTTP Header Hash persistence rule. Persistence is based on a hash of the specified header value found in an initial client request.

Syntax

config load-balance persistence

edit <name>

set type hash-http-header

set keyword <string>

next

end

keyword

Specify the HTTP header value.

Example

config load-balance persistence

edit "hash-http-header"

set type hash-http-header

set keyword <string>

next

end

HTTP Request Hash

Use this command to create a HTTP Request Hash persistence rule. Persistence is based on a hash of the specified URL parameter in an initial client request.

Syntax

config load-balance persistence

edit <name>

set type hash-http-request

set keyword <string>

next

end

keyword

Specify the URL parameter.

Example

config load-balance persistence

edit "hash-http-request"

set type hash-http-request

set keyword <string>

next

end

Cookie Hash

Use this command to create a Cookie Hash persistence rule. Persistence is based on a hash of a cookie provided by client request.

Syntax

config load-balance persistence

edit <name>

set type hash-cookie

set keyword <string>

next

end

keyword

Specifies the cookie name. If the specified cookie keyword is a valid cookie name from which the cookie value can be extracted, it will be used to calculate the hash. Without the keyword, the hash will be calculated using the whole cookie. Otherwise, the default round robin method will be used.

Example

config load-balance persistence

edit "hash-cookie"

set type hash-cookie

set keyword myCookieName

next

end

Persistent Cookie

Use this command to create a Persistent Cookie persistence rule. Persistence is based on the cookie provided in the backend server response. It forwards subsequent requests with this cookie to the original backend server.

Syntax

config load-balance persistence

edit <name>

set type persistent-cookie

set keyword <string>

set timeout <integer>

next

end

keyword	Specify the backend server cookie name.
timeout	Specify the timeout (in seconds) for an inactive persistence session table entry. (Range: 1-86400, default: 300).

Example

config load-balance persistence

edit "persistent-cookie"

set type persistent-cookie

set keyword myCookieName

set timeout 300

next

end

Passive Cookie

Use this command to create a Passive Cookie persistence rule. Persistence is based on the cookie which is generated from the server.

Syntax

config load-balance persistence

edit <name>

set type passive-cookie

set sess-keyword {auto|PHPSESSID|JSESSIONID|CFID+CFTOKEN|ASP.NET_SessionId|custom}

set keyword <string>

set timeout <integer>

next

end

sess-keyword	Specify the cookie which is generated from the server. Select either of the following: auto — includes all options except custom. PHPSESSID JSESSIONID CFID+CFTOKEN ASP.NET_SessionId custom — use a custom defined cookie name.
keyword	The keyword option is available if sess-keyword is custom. Specify the backend server cookie name.
timeout	Specify the timeout (in seconds) for an inactive persistence session table entry. (Range: 1-86400, default: 300).

Example

config load-balance persistence

edit "passive-cookie"

set type passive-cookie

set sess-keyword auto

set timeout 300

next

end

Insert Cookie

Use this command to create an Insert Cookie persistence rule. Persistence is based on a cookie inserted by the FortiADC system.

The system inserts a cookie whose name is the value specified by Keyword and whose value is the real server pool member Cookie value and expiration date (if the client does not already have a cookie).
For example, if the value of Keyword is sessid and the real server pool member Cookie value is rs1, FortiADC sends the cookie sessid=rs1|U6iFN to the client, where U6iFN is the expiration date as a base64 encoded string.

Syntax

config load-balance persistence

edit <name>

set type insert-cookie

set keyword <string>

set timeout <integer>

set cookie-domain <string>

set cookie-httponly {enable|disable}

set cookie-secure {enable|disable}

set cookie-samesite {nothing|none|lax|strict}

set cookie-custom-attr {enable|disable}

set cookie-custom-attr-value <string>

next

end

keyword	Specify the backend server cookie name.
timeout	Specify the timeout (in seconds) for an inactive persistence session table entry. (Range: 1-86400, default: 300).
cookie-domain	Specifies the domain attribute of the cookie. If the cookie attribute does not match or is not applicable, the user agent will ignore the cookie and will not enforce persistence.
cookie-httponly	Enable/disable to add the "HTTPOnly" flag to cookies. This option is disabled by default. The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts). If the cookie attribute does not match or is not applicable, the user agent will ignore the cookie and will not enforce persistence.
cookie-secure	Enable/disable to add the Secure flag to cookies. This option is disabled by default. The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS). If the cookie attribute does not match or is not applicable, the user agent will ignore the cookie and will not enforce persistence.
cookie-samesite	Add a SameSite attribute to prevent the browser from sending cookies along with cross-site requests, to mitigate the risk of cross-origin information leakage. It provides Strict, Lax, and None values for this attribute: nothing — Do not add Samesite attribute to cookies. The default value is nothing. none — set the value as none if a cookie is required to be sent by cross origin. Note: If cookie-secure is enabled, then cookie-samesite should be set to none. lax — any request from the third parties will not carry such cookies except for GET requests that navigate to the destination URL. strict — any request from the third parties will not carry such cookies If the cookie attribute does not match or is not applicable, the user agent will ignore the cookie and will not enforce persistence.
cookie-custom-attr	Enable to specify custom attributes. This option is disabled by default. When cookie-custom-attr is enabled, the following options become unavailable: cookie-domain, cookie-httponly, cookie-secure, and cookie-samesite.
cookie-custom-attr-value	The cookie-custom-attr-value option appears if cookie-custom-attr is enabled. Specify the full cookie attributes, including any of the standard attributes and any of the custom attributes. If the cookie attribute does not match or is not applicable, the user agent will ignore the cookie and will not enforce persistence.

Example

config load-balance persistence

edit "insert-cookie"

set type insert-cookie

set keyword MyInsCookieName

set timeout 300

set cookie-domain .example.com

set cookie-httponly enable

set cookie-secure enable

set cookie-samesite nothing

set cookie-custom-attr disable

next

end

Rewrite Cookie

Use this command to create a Rewrite Cookie persistence rule. Persistence is based on the cookie provided in the backend server response, but the system rewrites the cookie.

Syntax

config load-balance persistence

edit <name>

set type rewrite-cookie

set keyword <string>

next

end

keyword

Specify the backend server cookie name.

Example

config load-balance persistence

edit "rewrite-cookie"

set type rewrite-cookie

set keyword myCookieName

next

end

Embedded Cookie

Use this command to create a Embedded Cookie persistence rule. Persistence is based on the cookie provided in the backend server response.

The system checks the HTTP response for a Set-Cookie: value that matches the value specified by Keyword in the persistence configuration. However, it preserves the original value and adds the real server pool member Cookie value and a ~ (tilde) as a prefix.

For example, the value of Keyword is sessid. The real server pool member Cookie value is rs1. After an initial client request, the response from the server contains Set-Cookie: sessid=666, which the system changes to Set-Cookie: sessid=rs1~666. It uses this rewritten value to forward subsequent requests to the same backend server as the original request.

Syntax

config load-balance persistence

edit <name>

set type embedded-cookie

set keyword <string>

next

end

keyword

Specify the backend server cookie name.

Example

config load-balance persistence

edit "embedded-cookie"

set type embedded-cookie

set keyword myCookieName

next

end

RADIUS Attribute

Use this command to create a RADIUS Attribute persistence rule. Persistence is based on a specified RADIUS attribute.

Syntax

config load-balance persistence

edit <name>

set type radius-attribute

set timeout <integer>

set match-across-servers {enable|disable}

set override-connection-limit {enable|disable}

set radius-attribute-relation {AND|OR}

config radius-attribute

edit <No.>

set type {1-user-name|4-nas-ip-address|5-nas-port|6-service-type|7-framed-protocol|8-framed-ip-address|9-framed-ip-netmask|12-framed-mtu|13-framed-compression|14-login-ip-host|19-callback-number|24-state|26-vendor-specific|30-called-station-id|31-calling-station-id|32-nas-identifier|33-proxy-state|34-login-lat-service|35-login-lat-node|36-login-lat-group|60-chap-challenge|61-nas-port-type|62-port-limit|63-login-lat-port}

set vendor-id <integer>

set vendor-type <integer>

next

end

next

end

timeout	Specify the timeout (in seconds) for an inactive persistence session table entry. (Range: 1-86400, default: 300). When the time that has elapsed since the system last received a request from the client IP is greater than the timeout, the system would not use the mapping table to forward the request. Instead, it again selects the server using the method specified in the virtual server configuration.
match-across-servers	An option for radius-attribute and source-address persistence methods. Enable so clients continue to access the same backend server through different virtual servers for the duration of a session.
override-connection-limit	An option for radius-attribute only. Disabled by default. If the real server connection limit is reached and this option is enabled, the new connection will neither persist to the new server nor go to another node.
radius-attribute-relation	Specify the relation when multiple radius attributes are configured. AND — All of the specified radius attributes must be the same in the hash table to be persistent. OR — Search the first radius attribute in the hash table for persistence if the first radius attribute exists. If not, search the following radius attributes in sequence.
config radius-attribute
type	Specify the Radius attribute type: 1-user-name 4-nas-ip-address 5-nas-port 6-service-type 7-framed-protocol 8-framed-ip-address 9-framed-ip-netmask 12-framed-mtu 13-framed-compression 14-login-ip-host 19-callback-number 24-state 26-vendor-specific 30-called-station-id 31-calling-station-id 32-nas-identifier 33-proxy-state 34-login-lat-service 35-login-lat-node 36-login-lat-group 60-chap-challenge 61-nas-port-type 62-port-limit 63-login-lat-port
vendor-id	The vendor-id option is available if the radius attribute type is 26-vendor-specific. The number specifies the vendor id. 0 means the entire attribute will be used as a persistence input.
vendor-type	The vendor-id option is available if the radius attribute type is 26-vendor-specific. The number specifies the vendor type. 0 means the entire attribute will be used as a persistence input.

Example

config load-balance persistence

edit "radius-attribute"

set type radius-attribute

set timeout 300

set match-across-servers enable

set override-connection-limit enable

set radius-attribute-relation AND

config radius-attribute

edit 1

set type 4-nas-ip-address

next

end

next

end

SSL Session ID

Use this command to create a SSL Session ID persistence rule. Persistence is based on SSL session ID.

Syntax

config load-balance persistence

edit <name>

set type ssl-session-id

set timeout <integer>

next

end

timeout

Specify the timeout (in seconds) for an inactive persistence session table entry. (Range: 1-86400, default: 300).

Example

config load-balance persistence

edit "ssl-session-id"

set type ssl-session-id

set timeout 300

next

end

SIP Call ID

Use this command to create a SIP Call ID persistence rule. Persistence is based on SIP Call ID. For SIP services, you can establish persistence using Source Address, Source Address Hash, or SIP caller ID.

Syntax

config load-balance persistence

edit <name>

set type sip-call-id

set timeout <integer>

next

end

timeout

Specify the timeout (in seconds) for an inactive persistence session table entry. (Range: 1-86400, default: 300).

Example

config load-balance persistence

edit "sip-call-id"

set type sip-call-id

set timeout 300

next

end

RDP Cookie

Use this command to create a RDP Cookie persistence rule. Persistence based on RDP cookie sent by RDP clients in the initial connection request.

Syntax

config load-balance persistence

edit <name>

set type rdp-cookie

next

end

ISO8583 Bitmap

Use this command to create a ISO8583 Bitmap persistence rule. Persistence is based on the bitmap.

Syntax

config load-balance persistence

edit <name>

set type iso8583-bitmap

set timeout <integer>

set iso8583-bitmap-relation {AND|OR}

set keyvalue-relation {AND|OR}

config iso8583-bitmap

edit <No.>

set type {2-primary-acct-num|3-process-code|7-date-time-trans|11-sys-trace-audit-num|12-date-tm-loc-trans|18-merchant-type|19-acq-inst-cy-code|20-PAN-ext-cy-code|21-fwd-inst-cy-code|22-POS-date|23-card-seq-num|24-function-code|32-acq-inst-id-code|33-fwd-inst-id-code|37-retrieval-ref-num|40-serv-restrict-code|41-card-accept-term-id|42-card-accept-id-code|52-PIN-data|67-ext-payment-code|68-recv-inst-cy-code|69-settle-inst-cy-code|73-date-action|74-credits-num|75-credits-reversal-num|76-debits-num|77-debits-reversal-num|78-tranfer-num|79-transfer-reversal-num|80-inquiries-num}

next

end

next

end

timeout	Specify the timeout (in seconds) for an inactive persistence session table entry. (Range: 1-86400, default: 300).
iso8583-bitmap-relation	Specify the relation among the bitmap type be AND/OR. The default is OR.
keyvalue-relation	The keyvalue-relation option is available if iso8583-bitmap-relation is OR. Specify the relation of keyvalue be AND/OR. The default is AND.
config iso8583-bitmap
type	Specify the bitmap type from the following 30 supported types: 2-primary-acct-num 3-process-code 7-date-time-trans 11-sys-trace-audit-num 12-date-tm-loc-trans 18-merchant-type 19-acq-inst-cy-code 20-PAN-ext-cy-code 21-fwd-inst-cy-code 22-POS-date 23-card-seq-num 24-function-code 32-acq-inst-id-code 33-fwd-inst-id-code 37-retrieval-ref-num 40-serv-restrict-code 41-card-accept-term-id 42-card-accept-id-code 52-PIN-data 67-ext-payment-code 68-recv-inst-cy-code 69-settle-inst-cy-code 73-date-action 74-credits-num 75-credits-reversal-num 76-debits-num 77-debits-reversal-num 78-tranfer-num 79-transfer-reversal-num 80-inquiries-num

Example

config load-balance persistence

edit "iso8583-bitmap"

set type iso8583-bitmap

set timeout 300

set iso8583-bitmap-relation OR

set keyvalue-relation AND

config iso8583-bitmap

edit 1

set type 2-primary-acct-num

next

end

next

end